1. Field of the Invention
This application relates to the field of computer data storage and more particularly to the field of configuring control system call access to data storage devices.
2. Description of Related Art
Host systems may store and retrieve data using a data storage device containing a plurality of host interface units (ports) that communicate with and store and retrieve data on internal storage facilities provided within the data storage device. Such data storage devices are provided, for example, by EMC Corporation of Hopkinton, Mass. and disclosed in U.S. Pat. No. 5,206,939 to Yanai et al., U.S. Pat. No. 5,778,394 to Galtzur et al., U.S. Pat. No. 5,845,147 to Vishlitzky et al., and U.S. Pat. No. 5,857,208 to Ofek.
The host systems may be assigned limited access to specific portions of the internal storage facilities, where that access may include reading and writing data and xe2x80x9csystem callsxe2x80x9d that cause the data storage device to execute administrative-like operations (e.g., automatic mirroring, copying, back up). The system calls do not directly read and write data. However, even so, system calls may cause one of the user host systems to indirectly access data allocated to another one of the host systems. In addition, remote system calls may be issued to a storage element through a remote storage device (e.g., in a disaster recovery situation) or through a fabric port.
The use of system calls which may provide one host system with unintended indirect access to a memory resource allocated to another host system may not be a problem if all host systems and the entire storage device are controlled by a single entity (i.e., are all owned and operated by a single company) that is capable of coordinating access among different groups within the entity. However, in instances where not all of the host systems are controlled by a single entity (e.g., in instances where a plurality of different smaller companies share use of a single data storage device) and in instances where different groups of the same entity access the host systems in an uncoordinated manner, it may be undesirable to allow such indirect access of internal storage facilities using system calls, especially in instances where the data storage device contains sensitive data of one or more of the entities and/or groups within a single entity. Furthermore, in configurations where a storage device is coupled to additional storage devices to provide backup services therefor, it may be undesirable to allow unintended access to data via system calls.
According to the present invention, determining authorization for actions includes defining a plurality of groups, defining a plurality of action types and corresponding levels of authorization for each of the groups, for at least a subset of the action types, defining a plurality of devices on which corresponding actions may be performed, where at least some of the devices correspond to portions of a data storage device, and, for the at least one of the groups, determining authorization for a requested action, where if the action corresponds to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group and by examining the plurality of devices corresponding to the requested action and where if the action does not correspond to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group. The action types may include system calls to the data storage device. The at least one of the devices may include at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. In response to a requested action being authorized, a tag may be returned that may be used in connection with subsequent requests that the action be performed.
According further to the present invention, determining authorization for actions includes determining if a requestor is in a list of requestors, determining if the requested action is in a list of action types associated with the requestor, and, if the action uses at least one device, determining if the at least one device is in a list of devices associated with the requestor and the requested action, where the list of devices includes at least some devices associated with a data storage device. Determining authorization may also include, if the requestor is not in the list of requestors, using a default requestor from the list of requestors. Determining authorization may also include, if the requestor is not in the list of requestors, denying authorization. Determining authorization may also include, if the requested action does not use at least one device, authorizing the action if the requested action is in a list of action types associated with the requestor. At least some of the action types may not correspond to actions performed on the data storage device. The action types may include system calls to the data storage device. At least one of the devices may include at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. Determining authorization may also include, in response to a requested action being authorized, returning a tag that may be used in connection with subsequent requests that the action be performed.
According further to the present invention, an apparatus that determines authorization for actions includes means for defining a plurality of groups, means for defining a plurality of action types and corresponding levels of authorization for each of the groups, means for defining a plurality of devices on which corresponding actions may be performed for at least a subset of the action types, where at least some of the devices correspond to portions of a data storage device, and, means for determining authorization for a requested action for the at least one of the groups, where if the action corresponds to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group and by examining the plurality of devices corresponding to the requested action and where if the action does not correspond to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group. The action types may include system calls to the data storage device. The at least one of the devices may include at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. In response to a requested action being authorized, the apparatus may return a tag that may be used in connection with subsequent requests that the action be performed.
According further to the present invention, an apparatus that determines authorization for actions includes means for determining if a requestor is in a list of requestors, means for determining if the requested action is in a list of action types associated with the requestor, and means for determining if the at least one device is in a list of devices associated with the requestor and the requested action if the action uses at least one device, where the list of devices includes at least some devices associated with a data storage device. The apparatus may also include means for using a default requestor from the list of requestors if the requestor is not in the list of requestors. The apparatus may also include means for denying authorization if the requestor is not in the list of requestors. The apparatus may also include means for authorizing the action if the requested action is in a list of action types associated with the requestor if the requested action does not use at least one device. At least some of the action types may not correspond to actions performed on the data storage device. The action types may include system calls to the data storage device. At least one of the devices may includes at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. The apparatus may include means for returning a tag that may be used in connection with subsequent requests that the action be performed in response to a requested action being authorized.
According further to the present invention, computer software that determines authorization for actions includes executable code that accesses a plurality of groups, executable code that accesses a plurality of action types and corresponding levels of authorization for each of the groups, executable code that accesses a plurality of devices on which corresponding actions may be performed for at least a subset of the action types, where at least some of the devices correspond to portions of a data storage device, and, executable code that determines authorization for a requested action for the at least one of the groups, where if the action corresponds to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group and by examining the plurality of devices corresponding to the requested action and where if the action does not correspond to one of the devices, authorization is determined by examining the levels of authorization for action types corresponding to the at least one group. The action types may include system calls to the data storage device. The at least one of the devices may include at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. In response to a requested action being authorized, executable code may return a tag that may be used in connection with subsequent requests that the action be performed.
According further to the present invention, computer software that determines authorization for actions includes executable code that determines if a requestor is in a list of requestors, executable code that determines if the requested action is in a list of action types associated with the requestor, and executable code that determines if the at least one device is in a list of devices associated with the requestor and the requested action if the action uses at least one device, where the list of devices includes at least some devices associated with a data storage device. The computer software may further include executable code that uses a default requestor from the list of requestors if the requestor is not in the list of requestors. The computer software may further include executable code that denies authorization if the requestor is not in the list of requestors. The computer software may further include executable code that authorizes the action if the requested action is in a list of action types associated with the requestor if the requested action does not use at least one device. At least some of the action types may not correspond to actions performed on the data storage device. The action types may include system calls to the data storage device. The at least one of the devices may include at least one disk storage area of the data storage device. The at least one of the devices may include communication ports of the data storage device. The action types may indicate whether system calls are allowed on the communication ports. The computer software may further include executable code that returns a tag that may be used in connection with subsequent requests that the action be performed in response to a requested action being authorized.